fix(bundle): resolve OLM installation and runtime errors

This commit fixes issues that prevented the operator from installing
and running correctly via an OLM bundle.

Key changes:
- Use `clusterPermissions` in CSV to ensure correct cluster-wide RBAC.
- Automate RBAC manifests copying and namespace patching in the bundle.
- Remove `USER nobody` from Containerfiles to avoid runtime permission errors.

Signed-off-by: Yalan Zhang <[email protected]>

Author: yalzhang

Containerfile

@@ -33,4 +33,3 @@ RUN cargo build -p operator $(if [ "$build_type" = release ]; then echo --releas
 FROM quay.io/fedora/fedora:42
 ARG build_type
 COPY --from=builder "/build/target/$build_type/operator" /usr/bin
-USER nobody

Makefile

@@ -114,7 +114,7 @@ bundle: manifests
 	@OPERATOR_IMAGE=$(OPERATOR_IMAGE) \
 	COMPUTE_PCRS_IMAGE=$(COMPUTE_PCRS_IMAGE) \
 	REG_SERVER_IMAGE=$(REG_SERVER_IMAGE) \
-	scripts/generate-bundle-prod.sh -v $(TAG) $(if $(PREVIOUS_CSV),-p $(PREVIOUS_CSV))
+	scripts/generate-bundle-prod.sh -v $(TAG) -n $(NAMESPACE) $(if $(PREVIOUS_CSV),-p $(PREVIOUS_CSV))
 
 bundle-image: bundle
 	@echo "Building OLM bundle image..."

README.md

@@ -77,23 +77,15 @@ This operator can be packaged and deployed as an OLM bundle. This workflow suppo
 
 **1. Prerequisites**
 
-*   **Setup Cluster:** Ensure your `kubectl` context points to your target cluster. For local development, you can create a `kind` cluster by running:
-    ```bash
-    # Set RUNTIME=docker if using Docker instead of Podman.
-    make cluster-up
-    ```
-
-*   **Login to Registry:**
-    ```bash
-    # Login to your remote container registry (e.g., quay.io)
-    docker login quay.io
-    ```
-
-*   **Install OLM:**
-    ```bash
-    # Install OLM on your target cluster
-    (cd /tmp && operator-sdk olm install)
-    ```
+For local development (kind):
+```bash
+# Set RUNTIME=docker if using Docker instead of Podman
+make cluster-up
+# Login to your remote container registry (e.g., quay.io)
+docker login quay.io
+# Install OLM on your target cluster
+(cd /tmp && operator-sdk olm install)
+```
 
 **2. Set Environment Variables**
 
@@ -114,11 +106,6 @@ The `push-all` target builds all operator images, generates the bundle, builds t
 make push-all
 ```
 
-You can optionally validate the generated bundle manifests at any time after the `bundle` has been generated:
-```bash
-(cd ./bundle && operator-sdk bundle validate .)
-```
-
 **4. Deploy the Bundle**
 
 Deploy the bundle to your cluster. We use `trusted-execution-clusters` as an example namespace.
@@ -135,20 +122,21 @@ Once the operator is running, you need to create a `TrustedExecutionCluster` cus
 First, you must update the example CR with the correct public address for the Trustee service, which must be accessible from your worker nodes or VMs.
 
 ```bash
-# Provide an address where your VMs can access the cluster.
-# When using a local kind cluster, this is often the kind bridge IP.
-$ ip route
-...
-192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1
-...
-$ export TRUSTEE_ADDR=192.168.122.1
-
-# Use yq (or manually edit) to set the address in the CR.
-# Note: yq is installed via 'make build-tools'.
-$ yq -i '.spec.publicTrusteeAddr = "'$TRUSTEE_ADDR':8080"' config/deploy/trusted_execution_cluster_cr.yaml
-
-# Now, apply the configured CR
-$ kubectl apply -f config/deploy/trusted_execution_cluster_cr.yaml
+# Determine an address reachable by the VMs (for libvirt, usually the bridge IP)
+ip route | grep virbr0
+# Example output:
+# 192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1
+export TRUSTEE_ADDR=192.168.122.1
+
+# Update the CR with the trustee address (yq is installed via `make build-tools`)
+yq -i '.spec.publicTrusteeAddr = "'$TRUSTEE_ADDR':8080"' \
+  config/deploy/trusted_execution_cluster_cr.yaml
+
+# Apply the configured CRs
+kubectl apply -f config/deploy/trusted_execution_cluster_cr.yaml
+kubectl apply -f config/deploy/approved_image_cr.yaml
+kubectl apply -f kind/kbs-forward.yaml
+kubectl apply -f kind/register-forward.yaml
 ```
 
 #### **Cleaning Up the Bundle Deployment**
@@ -166,7 +154,6 @@ To clean up your environment after running the non-OLM `Quick Start` method, exe
 make cluster-cleanup
 # Note: You must use the same RUNTIME environment variable for `cluster-down`
 # that you used for `cluster-up`. For example:
-#
 # RUNTIME=docker make cluster-down
 make cluster-down
 make clean

bundle/static/manifests/trusted-cluster-operator.clusterserviceversion.yaml

@@ -72,7 +72,7 @@ spec:
   install:
     strategy: deployment
     spec:
-      permissions:
+      clusterPermissions:
         - serviceAccountName: trusted-cluster-operator
           # Rules are dynamically generated from config/rbac/role.yaml during the bundle build
           rules: []

compute-pcrs/Containerfile

@@ -32,4 +32,3 @@ FROM quay.io/fedora/fedora:42
 ARG build_type
 COPY --from=builder "/build/target/$build_type/compute-pcrs" /usr/bin
 COPY --from=builder /build/reference-values /reference-values
-USER nobody

register-server/Containerfile

@@ -29,6 +29,5 @@ RUN cargo build -p register-server $(if [ "$build_type" = release ]; then echo -
 FROM quay.io/fedora/fedora:42
 ARG build_type
 COPY --from=builder "/build/target/$build_type/register-server" /usr/bin
-USER nobody
 EXPOSE 3030
 ENTRYPOINT ["/usr/bin/register-server"]

scripts/generate-bundle-prod.sh

@@ -8,12 +8,14 @@ set -euo pipefail
 
 BUNDLE_VERSION=""
 PREVIOUS_CSV=""
+NAMESPACE="trusted-execution-clusters"
 
-while getopts "v:p:" opt; do
+while getopts "v:p:n:" opt; do
   case $opt in
     v) BUNDLE_VERSION="$OPTARG" ;;
     p) PREVIOUS_CSV="$OPTARG" ;;
-    *) echo "Usage: $0 -v <bundle-version> [-p <previous-csv>]"; exit 1 ;;
+    n) NAMESPACE="$OPTARG" ;;
+    *) echo "Usage: $0 -v <bundle-version> [-p <previous-csv>] [-n <namespace>]"; exit 1 ;;
   esac
 done
 
@@ -39,6 +41,9 @@ mkdir -p "${BUNDLE_MANIFESTS}" "${BUNDLE_METADATA}"
 echo "=> Copying CRDs and static assets..."
 shopt -s nullglob
 cp "${PROJECT_ROOT}/config/crd"/*.yaml "${BUNDLE_MANIFESTS}/"
+cp "${PROJECT_ROOT}/config/rbac"/*.yaml "${BUNDLE_MANIFESTS}/"
+rm -f "${BUNDLE_MANIFESTS}/kustomization.yaml"
+rm -f "${BUNDLE_MANIFESTS}/service_account.yaml"
 cp "$CSV_TEMPLATE" "${BUNDLE_MANIFESTS}/"
 cp "$ANNOTATIONS_TEMPLATE" "${BUNDLE_METADATA}/"
 
@@ -59,7 +64,18 @@ for env_var in COMPUTE_PCRS_IMAGE REG_SERVER_IMAGE; do
 done
 
 # Patch RBAC rules
-yq -i ".spec.install.spec.permissions[0].rules = load(\"${RBAC_ROLE_FILE}\").rules" "$CSV_FILE"
+yq -i ".spec.install.spec.clusterPermissions[0].rules = load(\"${RBAC_ROLE_FILE}\").rules" "$CSV_FILE"
+
+echo "=> Patching RBAC binding namespaces..."
+for binding_file in role_binding.yaml metrics_auth_role_binding.yaml leader_election_role_binding.yaml; do
+  file_path="${BUNDLE_MANIFESTS}/${binding_file}"
+  if [ -f "$file_path" ]; then
+    echo "--> Patching ${binding_file}..."
+    yq -i ".subjects[0].namespace = \"${NAMESPACE}\"" "$file_path"
+  else
+    echo "WARN: Binding file ${binding_file} not found in bundle, skipping patch."
+  fi
+done
 
 # Set .spec.replaces for automatic upgrades if provided
 if [[ -n "$PREVIOUS_CSV" ]]; then